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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

1. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was fiied in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. 

Applicant's submission fiied on 7/29/2008 has been entered. 

2. This action is responding to application papers filed 12-23-2003. Claims 1 - 4, 8 
-16, 18- 26, 28 - 34 are pending. Claims 1,3, 4, 6, 7, 9, 10, 13, 15, 16, 18, 19, 23, 
25, 26, 28, 29, 31, 32 have been amended. Claims 5, 17, 27 have been cancelled. 
Claims 1, 13, 23 are independent. 

Response to Arguments 

3. Applicant's arguments fiied 7/29/2008 have been fully considered and are partially 
persuasive. A new ground of rejection has been entered. 

3.1 Applicant argues for claims 1, 13, 23, the direct transfer of a session ID and 
timestamp parameters indicating session state information between two network- 
connected systems, (see Remarks Pages 8-14) 

The Wood prior art discloses redirection methods for the transmission of a 
designated session token between servers without storage of the session token at the 
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browser, (see Woods paragraph [0050], lines 12-17; paragraph [0051], lines 13-16) 

The Woods prior art discloses the direct transfer of session state parameters such 
as a session ID parameter and a time/date parameter between network-connected 
entities, (see Williams paragraph [0050], lines 15-17: some parameters can be passed 
directly) And, the Lennon prior art discloses the direct transfer of session state 
information consisting of a session iD and additional session state information such as a 
time/date parameter between servers, (see Lennon col. 54, lines 37-40: transmit a 
session identifier from a first device to a second device; col. 54, lines 45-50; col. 56, 
lines 1-6: redirecting session output from first device to second device; transfer session 
information (session iD and additional session state information) between two servers) 

3,2 Applicant argues the obviousness rejection, (see Remarks Pages 8, 9) 

Each obviousness combination indicates the claim limitation(s) the combined prior 
art references teach. In addition, a cited passage from the referenced prior art indicates 
the motivation for the obviousness combination. Each obviousness combination's 
disclosure is equivalent to the Applicant's claimed limitation(s) for the claimed invention. 

It is not a requirement that the referenced prior art solve the same problem as 
claimed invention in order to be combinable. There are three criteria for combination: 
(1) same file of endeavor (which is session management); (2) motivation for the 
combination (stated in Office Action); and (3) successful disclosure of claim limitation 
due to prior art combination. AH three criteria are satisfied by the Office Action, (see 
Williams paragraph [0016], iines 1-4; paragraph [0036], iines 1-2; see Woods paragraph 
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[0047], lines 6-14; paragraph [0057], iines 21-24; see Bachman col. 1, lines 65-67: 
same field of endeavor: session management) 

3.3 The Williams prior art invention discloses a database for the storage of session 
management information, (see Williams paragraph [0037], lines 10-12; paragraph 
[0075], iines 12-16: database, storage). !n addition, the Williams prior art discloses the 
capability to redirect service requests from one server to another server for service 
completion, (see Williams paragraph [0067], lines 12-18: redirection of session token 
and session information, redirection request for resources) 

The Williams prior art discloses a system for secure session management within a 
collection of web server systems (web farm) using a session token. The claim 
limitations disclose that the token is renewed after each use. (see Specification Page 2, 
Paragraph [0006], iines 7-9) in the Williams prior art a session management web 
service updates the session token with each received request, (see Williams 
paragraph [0016], lines 7-13; paragraph [0016], iines 4-7: generate new encrypted 
session token and transfer) in addition, the Williams prior art discloses the capability to 
encrypt and decrypt the designated session token. 

The Williams and Woods prior art combination discloses that if the request must be 
redirected to a different server where the requested resource is located (see Williams 
paragraph [0067], lines 12-18: redirection of session token and session information, 
redirection request for resources) then the decrypted session token is transmitted to the 
new server (see Wood paragraph [0044], iines 8-14; paragraph [0051], lines 1-3: 
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session token with redirection request) and the session management web service 
generates a new session token to be used in piace of the previous session token. The 
new session token is transmitted with the requested web resource. 

The Williams prior art discloses that the server is utilized for authentication and 
session token(s) generation. Also, the Williams prior art discloses the capability for 
session tokens to be encrypted and decrypted during session token processing, (see 
Williams paragraph [0051], lines 14-16: encryption/decryption utilized for security) 
Once client access procedures are completed, the Williams prior art processes service 
requests to access a required resource. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

5. Claims 1 - 6, 9 - 18, 21 -28, 31 -34 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Williams et al. (US PGPUB No. 20030005118) in view of 
Wood et al. (US PGPUB No. 20040210771) and further in view of Lennoo et a!. (US 
Patent No. 7,099,940). 



With Regards to Claims 1, 23, Williams discloses a method, computer program 
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product of secure session management for a web farm, the web farm including a first 
server and a second server, the second server having a requested web page, the 
method comprising: 

a) receiving, at the first server, a request for the requested web page from a 
browser, said request including an encrypted session token associated with a 
session : (see Williams paragraph [0016], lines 1-4: session management 
(associated with a session); paragraph [0019], lines 1-5: request processing; 
paragraph [0016], lines 1-4: session token; paragraph [0050], lines 10-16; 
paragraph [0051], lines 14-16: encryption utilized for security; paragraph [0016], 
lines 1-4: program product) 

b) decrypting said encrypted session token at the first server to obtain a session 
information; (see Williams paragraph [0020], lines 8-1 1 : validate (must decryption 
required to process encrypted information) session information, process 
encrypted session information; paragraph [0016], lines 1-4: program product) 

d) verifying said session, (see Williams paragraph [0020], lines 8-11; paragraph 
[0074], lines 7-1 1 : validate session token information, client and session 
identification information; paragraph [0016], lines 1-4: program product) 

Williams discloses wherein redirecting said request to the second server, (see 
Williams paragraph [0067], lines 12-18: redirection of session information) Williams 
does not specifically disclose including the transmission of said session token to the 
second server in a redirect request. 
However, Wood discloses: 
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c) including transmitting said session token to the second server; (see Wood 
paragraph [0044], lines 8-14; paragraph [0051], lines 1-3: session token with 
redirection request) 

It would have been obvious to one of ordinary skill in the art to modify Williams 
for transmitting a session token and session state information to a second server as 
taught by Wood. One of ordinary skill in the art would have been motivated to 
employ the teachings of Wood in order to enable the capability to upgrade session 
credentials and maintain session continuity, (see Wood paragraph [0016], lines 11- 
16: "... The session upgrading means upgrading the session by obtaining and 
authenticating a second credential to allow access to the target information resource 
if the first authenticated credential is inconsistent with the trust level requirement. 
The session upgrade means maintains session continuity across credential 
upgrades. ... ") 

Williams-Woods does not specifically disclose direct transmission of a session ID 
and additional session state information such as a time/date parameter between two 
systems. However, Lennon discloses for a); b): wherein including transmitting said 
session ID and timestamp directly to the second server, (see Lennon col. 54, lines 
37-40: transmit a session identifier (directly) from a first device to a second device; 
col. 54, lines 45-50; col. 56, lines 1-6: redirecting session output from first device to 
second device; transfer session information (session ID and additional session state 
information) between two servers) 
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It would have been obvious to one of ordinary skill in the art to modify Williams 
to directly transmit a session ID and timestamp (session state information) to a 
second server as taught by Lennon, One of ordinary skill in the art would have been 
motivated to employ the teachings of Lennon in order to save time and greatly 
reduce aggregation due to customer not having to use a different search engine 
interface for searching each content provider (see Lennon col. 1 , line 67 - col. 2, 
line 7: " ... If the potential customer wanted to perform a search across several 
different content providers/distributors, the potential customer would have to visit the 
Web site and use the search engine of each of the different content 
providers/distributors. Such actions are often time consuming and annoying 
because the potential customer must use a different search engine interface each 
time. ... ") 

With Regards to Claims 2, 24, Williams discloses the method, computer program 
product claimed in claims 1, 23, further including creating a new session token, 
encrypting said new session token at the second server to produce a new encrypted 
session token, and transmitting a response to said browser from the second server, 
wherein said response includes said new encrypted session token, (see Williams 
paragraph [0016], lines 7-13; paragraph [0016], lines 4-7: generate new encrypted 
session token and transfer; paragraph [0016], lines 1-4: software implementation, 
program product) 
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With Regards to Claims 3, 5, 15, 17, 25, 27, Williams discloses the method, system, 
computer program product claimed in claims 2, 13, 14, 23, 24, wherein said creating a 
new session token includes generating a new session ID and updating said timestamp. 
(see Williams paragraph [0062], lines 9-16; paragraph [0050], lines 1-5: session token, 
session ID and timestamp; paragraph [0016], lines 1-4: software implementation, 
program product) 

With Regards to Claims 4, 16, 26, Williams discloses the method, system, computer 
program product claimed in claims 2, 14, 24, further including a step of updating a 
common session database by replacing said session information with said new session 
token in said common session database, (see Williams paragraph [0069], lines 9-15: 
database for session token information storage paragraph [0016], lines 1-4: software 
implementation, program product) 

And, Lennon discloses wherein including transmitting said session iJD and timestamp 
directly to the second server, (see Lennon col. 54, lines 37-40: transmit a session 
identifier from a first device to a second device; coS. 54, lines 45-50; col. 56, lines 1-6: 
redirecting session output from first device to second device; transfer session 
information (session ID and additional session information) between two servers) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
transmit said session ID and timestamp (session state information) directly to the 
second system as taught by Lennon. One of ordinary skill in the art would have been 
motivated to employ the teachings of Lennon in order to save time and greatly reduce 
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aggregation due to customer not having to use a different search engine interface for 
searching each content provider, (see Lennon coi. 1, line 67 - col. 2, line 7) 

With Regards to Claims 6, 18, 28, Williams discloses the method, system, computer 
program product claimed in claims 1, 17, 23, wherein a common session database 
contains a stored session ID and a stored timestamp, and wherein said verifying 
includes comparing said session ID and said timestamp with said stored session ID and 
said stored timestamp. (see Williams paragraph [0069], lines 9-15: database for session 
token information storage; paragraph [0062], lines 9-16; paragraph [0050], lines 1-5: 
session token, session ID and timestamp; paragraph [0020], lines 8-1 1 : verification 
session information paragraph [0016], lines 1-4: software implementation, program 
product) 

With Regards to Claims 9, 21, 31, Williams discloses the method, system, computer 
program product claimed in claims 1,13, 23, wherein said step of transmitting includes 
incorporating said session information into a URL. (see Williams paragraph [0044], lines 
8-12: URL processing techniques utilized paragraph [0016], lines 1-4: software 
implementation, program product) 

And, Lennon discloses wherein includes incorporating said session SD and timestamp 
into a URL. (see Lennon coi. 54, lines 37-40: transmit a session identifier from a first 
device to a second device; col. 54, lines 45-50; col. 56, lines 1-6: redirecting session 
output from first device to second device; transfer session information (session ID and 
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additional session information) between two servers) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
transmit said session !D and timestamp (session state information) directly to the 
second server as taught by Lennon. One of ordinary skill in the art would have been 
motivated to employ the teachings of Lennon in order to save time and greatly reduce 
aggregation due to customer not having to use a different search engine interface for 
searching each content provider, (see Lennon col. 1 , line 67 - col. 2, line 7) 

With Regards to Claims 10, 32, Williams discloses the method, computer program 
product claimed in claims 1 , 23, wherein a session management web service performs 
said step of verifying, said session management web service being accessible to said 
first server and said second server, and wherein said verifying includes comparing said 
session information with stored session data, (see Williams paragraph [0020], lines 8- 
11: session information verification paragraph [0016], lines 1-4: software 
implementation, program product) 

And, Lennon discloses wherein includes transferring said session SD and timestamp 
between systems for comparison, (see Lennon col 54, lines 37-40: transmit a session 
identifier from a first device to a second device; col. 54, lines 45-50; col. 56, lines 1-6: 
redirecting session output from first device to second device; transfer session 
information (session !D and additional session information) between two servers) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
transmit said session ID and timestamp (session state information) directly to the 
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second server as taught by Lennon. One of ordinary skiii in the art would have been 
motivated to employ the teachings of Lennon in order to save time and greatly reduce 
aggregation due to customer not having to use a different search engine interface for 
searching each content provider, (see Lennon col. 1 , line 67 - col. 2, line 7) 

With Regards to Claims 11, 33, Williams discloses the method, computer program 
product claimed in claims 10, 32, wherein the web farm further includes a common 
session database containing said stored session data, (see Williams paragraph [0013], 
lines 5-9; paragraph [0036], lines 3-4: web farms, set of interconnected web servers 
paragraph [0016], lines 1-4: software implementation, program product) 

With Regards to Claims 12, 22, 34, Williams discloses the method, system, computer 
program product claimed in claims 1,13, 23, wherein said requested web page includes 
a web resource selected from the group including an applet, an HTML page, a Java 
server page, and an Active server page, (see Williams paragraph [0044], lines 3-8; 
paragraph [0042], lines 8-15: protected resource, a HTML web page paragraph [0016], 
lines 1-4: software implementation, program product) 

With Regards to Claim 13, Williams discloses a system for secure session 
management, the system being coupled to a network and receiving a request for a 
requested web page from a browser via the network, the request including an encrypted 
session token, the system comprising: 
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b) a second server including the requested web page; (see Williams paragraph 
[0013], lines 5-9: multiple servers; paragraph [0044], lines 3-8; paragraph [0042], 
lines 8-15: resource requested, a HTML web page) 

c) a common session database including stored session data; (see Williams 
paragraph [0069], lines 9-15: database for session token information storage) 

Also, Williams discloses: 

a) a first server including a first request handler for receiving the request and 
decrypting the encrypted session token to produce a session information, (see 
Williams paragraph [0013], lines 5-9; paragraph [0050], lines 10-16: multiple 
servers, encrypted; paragraph [0020], lines 8-1 1 : validate (i.e. must decrypt in 
order to process) session information) 

d) a session management web service, accessible to said first server and said 
second server and including a validation component for comparing said session 
token with said stored session data; (see Williams paragraph [0020], lines 8-1 1 : 
session verification information) 

Williams discloses wherein said first request handler adapted to redirect the request 
to said second server, (see Williams paragraph [0067], lines 12-18: redirection 
capabilities) Williams does not specifically disclose the transfer of session state 
information between two servers. 
However, Wood discloses: 

e) transmit the session information to said second server, (see Wood paragraph 
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[0044], lines 8-14; paragraph [0051], lines 1-3: session token with redirection 
request; paragraph [0050], Sines 15-17: direct transfer of parameters between two 
systems) 

It would have been obvious to one of ordinary skill in the art to modify Williams 
to enable the capability for including transmitting said session token to the second 
server as taught by Wood. One of ordinary skill in the art would have been 
motivated to employ the teachings of Wood in order to enable the capability to 
upgrade session credentials and maintain session continuity, (see Wood paragraph 
[0016], lines 11-16) 

And, Lennon discloses wherein includes transmitting said session SD and timestamp 
between systems, (see Lennon col. 54, lines 37-40: transmit a session identifier from 
a first device to a second device; co!. 54, lines 45-50; col. 56, lines 1-6: redirecting 
session output from first device to second device; transfer session information 
(session ID and additional session information) between two servers) 

It would have been obvious to one of ordinary skill in the art to modify Williams 
to transmit said session ID and timestamp directly to the second server as taught by 
Lennon. One of ordinary skill in the art would have been motivated to employ the 
teachings of Lennon in order to save time and greatly reduce aggregation due to 
customer not having to use a different search engine interface for searching each 
content provider, (see Lennon col. 1 , line 67 - col. 2, line 7) 



With Regards to Claim 14, Williams discloses the system claimed in claim 13, wherein 
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said session management web service includes a token generator for creating a new 
session token for said second server, and wherein said second server includes a 
second request handler, said second request handler encrypting said new session 
token to produce a new encrypted session token and transmitting a response to said 
browser, wherein said response includes said new encrypted session token, (see 
Williams paragraph [0016], lines 7-10; paragraph [0016], lines 4-7: new session token 
generated and transferred; paragraph [0050], lines 10-16; paragraph [0051], lines 14- 
16: encrypted session token information) 

6. Claims 7, 8, 10, 20, 29, 30 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Williams-Wood-Lennon and further in view of Bachman et al. (US 
Patent No. 5,907,621). 

With Regards to Claims 7, 19, 29, Williams discloses the method, system, computer 
program product claimed in claims 1, 14, 23. (see Williams paragraph [0050], lines 1-5 : 
time parameter usage and processing; paragraph [0016], lines 1-4: software 
implementation, program product) Williams does not specifically disclose a time out 
processing capability. However, Bachman discloses wherein including determining 
whether a session has timed out, said step of determining including determining an 
elapsed time between said timestamp and a current server time, and comparing said 
elapsed time with a predetermined maximum time to determine whether said session 
has timed out. (see Bachman col. 1 , lines 65-67: session management; col. 4, lines 11- 
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17; col. 6, lines 10-19: process time out condition) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
process a time period expiration condition as taught by Bachman. One of ordinary skill 
in the art would have been motivated to employ the teachings of Bachman in order to 
enable the capability to create a secure communications session between server and 
client systems and avoid distracting the client with the placement of token information 
within the page, (see Bachman col. 1 , lines 65-67: " ... An advantage of the present 
invention is that a secure user session can be established between an internet server 
and a browser at an unsecured client. . . . "; col. 2, lines 1 5-1 7: "... To avoid distracting 
the user, the token is carried in a field of the page that is normally not displayed in the 
presentation space. ...") 

With Regards to Claims 8, 20, 30, Williams discloses the method, system, computer 
program product claimed in claims 7, 19, 29. (see Williams paragraph [0050], lines 1-5: 
time parameter usage and processing; paragraph [0016], lines 1-4: software 
implementation, program product) Williams does not specifically disclose a time out 
processing capability. However Bachman discloses wherein includes closing said 
session if said session has timed out. (see Bachman col. 1, lines 65-67: session 
management; col. 4, lines 11-17; col. 6, lines 10-19: process time out condition, session 
erased, closed) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
process a time period expiration condition as taught by Bachman. One of ordinary skill 
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in the art would have been motivated to employ the teachings of Bachman in order to 
enable the capability to create a secure communications session between server and 
client systems and avoid distracting the client with the placement of token information 
within the page, (see Bachman col. 1, lines 65-67; col. 2, lines 15-17) 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carlton V. Johnson whose telephone number is 571- 
270-1032. The examiner can normally be reached on Monday thru Friday , 8:00 - 
5:00PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on 571-272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 



Application/Control Number: 10/733,326 
Art Unit: 2136 



Page 18 



system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Carlton V. Johnson 

Examiner 

Art Unit 2136 



CVJ 

August 18, 2008 



/Nasser G Moazzami/ 

Supervisory Patent Examiner, Art Unit 2136 



